How to configure a ReplicaSet to support TLS/SSL?
Create the Root Certificate
The Root Certificate (aka CA File) will be used to sign and identify your certificate. To generate it, run the command below.
Keep the root certificate and its key carefully, both will be used to sign your certificates. The root certificate might be used by your client as well.
Generate the Certificate Requests and the Private Keys
When generating the Certificate Signing Request (aka CSR), input the exact hostname (or IP) of your node in the Common Name (aka CN) field. The others fields must have exactly the same value. You might need to modify your /etc/hosts file.
The commands below will generate the CSR files and the RSA Private Keys (4096 bits).
You must generate one CSR for each node of your ReplicaSet. Remember that the Common Name is not the same from one node to another. Don't base multiple CSRs on the same Private Key.
You must now have 3 CSRs and 3 Private Keys.
Sign your Certificate Requests
Use the CA File (ca.pem) and its Private Key (ca.key) generated previously to sign each Certificate Request by running the commands below.